Skip to content

chore(deps): patch 4 Dependabot alerts (hono 4.12.24)#242

Merged
mrw-rl merged 1 commit into
mainfrom
chore/bump-hono-4.12.24
Jun 8, 2026
Merged

chore(deps): patch 4 Dependabot alerts (hono 4.12.24)#242
mrw-rl merged 1 commit into
mainfrom
chore/bump-hono-4.12.24

Conversation

@mrw-rl

@mrw-rl mrw-rl commented Jun 8, 2026

Copy link
Copy Markdown
Contributor

What

Bumps the pnpm hono override 4.12.184.12.24 to clear four medium Dependabot alerts (#76#79), all fixed in hono 4.12.21:

Alert GHSA Issue
#76 GHSA-f577-qrjj-4474 JWT middleware accepts any Authorization scheme, not just Bearer
#77 GHSA-xrhx-7g5j-rcj5 IP restriction bypasses static deny rules for non-canonical IPv6
#78 GHSA-2gcr-mfcq-wcc3 app.mount() strips prefix using undecoded path → mis-routing on percent-encoded paths
#79 GHSA-3hrh-pfw6-9m5x Cookie helper does not sanitize sameSite/priority → Set-Cookie injection

Why this approach

hono is purely transitive (@modelcontextprotocol/sdk@hono/node-server) and already governed by the pnpm overrides block, so a single pin bump is the clean fix. Targeting 4.12.24 (latest in the same minor line) rather than the minimum 4.12.21 — all patch-level releases, a superset of the fixes, zero breaking surface.

Peer ranges accept it: @hono/node-server wants ^4, the MCP SDK wants ^4.11.4. Lockfile resolves hono@4.12.24 at every site with no stragglers below the patched floor.

Verification

  • pnpm run build (tsc) → clean
  • Tests: 800/804 pass. The 4 failures are the live-API scp/rsync e2e suite failing on 401 (no API key in CI/sandbox) — unrelated to this change.

🤖 Generated with Claude Code

@mrw-rl @claude
chore(deps): patch 4 Dependabot alerts (hono 4.12.24)
35f147f 
Bumps the pnpm `hono` override 4.12.18 -> 4.12.24 to clear four medium
Dependabot alerts (#76-79), all fixed in hono 4.12.21:

- GHSA-f577-qrjj-4474: JWT middleware accepts any Authorization scheme
- GHSA-xrhx-7g5j-rcj5: IP restriction bypasses deny rules for non-canonical IPv6
- GHSA-2gcr-mfcq-wcc3: app.mount() strips prefix using undecoded path
- GHSA-3hrh-pfw6-9m5x: cookie helper does not sanitize sameSite/priority

hono is transitive via @modelcontextprotocol/sdk -> @hono/node-server;
peer ranges (^4, ^4.11.4) accept 4.12.24. Build clean, unit/component
tests pass.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@mrw-rl

mrw-rl commented Jun 8, 2026

Copy link
Copy Markdown
Contributor Author

justification for the age-gate override:

  • hono@4.12.24 vetted clean: registry signature cryptographically verified, lockfile integrity hash matches the signed tarball, zero install-time lifecycle scripts (Shai-Hulud's vector), no bin, published by the legit maintainer (yusukebe). Plus your onlyBuiltDependencies allowlist would block any hono postinstall anyway.
  • The age-gate trip is expected, not a smell: it's flagging recency (published 2026-06-08), which is the control working as designed — and we've independently established the artifact is sound.
  • Residual gap to disclose if your exception process asks: no SLSA/sigstore provenance attestation (hono releases manually via np), so the registry signature is the strongest link in the chain rather than full build provenance.

@mrw-rl mrw-rl requested review from dines-rl and jason-rl June 8, 2026 19:17
@mrw-rl mrw-rl merged commit 6203000 into main Jun 8, 2026
20 of 22 checks passed
@mrw-rl mrw-rl deleted the chore/bump-hono-4.12.24 branch June 8, 2026 20:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jason-rl jason-rl jason-rl approved these changes

@dines-rl dines-rl Awaiting requested review from dines-rl

Assignees

No one assigned

Labels

bypass-age-gate

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@mrw-rl @jason-rl